CVE-2021-33394

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-33394
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-33394.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-33394
Published
2021-05-27T19:15:08Z
Modified
2025-01-08T10:45:23.897718Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Cubecart 6.4.2 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session.

References

Affected packages

Git / github.com/cubecart/v6

Affected ranges

Type
GIT
Repo
https://github.com/cubecart/v6
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

6.*

6.1.11pr
6.2.0-b1

v2.*

v2.6.7

v6.*

v6.0.0
v6.0.0b1
v6.0.0b2
v6.0.0b3
v6.0.0b4
v6.0.0b5
v6.0.0b6
v6.0.0b7
v6.0.1
v6.0.10
v6.0.11
v6.0.12
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.0.6
v6.0.8
v6.0.9
v6.1.0
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.1.7
v6.1.8
v6.1.9
v6.2.0
v6.2.0-b1
v6.2.0-rc1
v6.2.0-rc2
v6.2.1
v6.2.2
v6.2.3
v6.2.4
v6.2.5
v6.2.6
v6.2.8
v6.2.9
v6.4.0
v6.4.0-b1
v6.4.0-b2
v6.4.1
v6.4.2